[英]Ingress in Kubernetes
I was doing some research about ingress and it seems I have to create a new ingress resource for each namespace.我正在对入口进行一些研究,看来我必须为每个命名空间创建一个新的入口资源。 Is that correct?
那是对的吗?
I just created 2 separate ingress resources in different namespaces in my GKE cluster but it seems to use the same LB in(which is great for cost) but I would think it is possible to have clashes then.我刚刚在我的 GKE 集群的不同命名空间中创建了 2 个单独的入口资源,但它似乎使用了相同的 LB(这对成本很有好处),但我认为那时可能会发生冲突。 (when using same path).
(使用相同路径时)。 I just tried it and the first one I've created is still working on the path, the other newer one on the same path is just not working.
我刚刚尝试过,我创建的第一个仍在该路径上工作,同一路径上的另一个较新的则无法正常工作。
Can someone explain me the correct setup for ingress?有人可以解释一下入口的正确设置吗?
As Kubernetes works, ingress controller won't pass a packet to a service that is in a different namespace from the ingress resource.由于 Kubernetes 工作,入口 controller 不会将数据包传递给与入口资源位于不同命名空间的服务。 So, if you create an ingress resource in the default namespace, all your services must be in the default namespace as well.
因此,如果您在默认命名空间中创建入口资源,则您的所有服务也必须在默认命名空间中。
This is something that won't change.这是不会改变的。 EVER.
曾经。 There has been a feature request years ago, and kubernetes team announced that it's not going to happen.
几年前就有一个功能请求,kubernetes 团队宣布它不会发生。 It introduces a security hole when ingress controller is being able to transpass a namespace.
当入口 controller 能够穿越命名空间时,它引入了一个安全漏洞。
Now, what we do in these situations is actually pretty neat.现在,我们在这些情况下所做的实际上非常简洁。 You will have to do the following:
您必须执行以下操作:
service1.foo
and service2.bar
.service1.foo
和service2.bar
。Endpoint
objects pointing to the IP addresses of the services service1.foo
and service2.bar
, in the same namespace as the ingress resource.service1.foo
和service2.bar
的 IP 地址的Endpoint
对象。 The headless service without selectors will force kube-dns (or coreDNS) to search for either ExternalName
type service or an Endpoint
object.ExternalName
类型的服务或Endpoint
object。 Now, the only requirement here is that your headless service and the Endpoint
object must have the same name.Endpoint
object 必须具有相同的名称。 It should look like this (for 1 service):它应该看起来像这样(对于 1 项服务):
Say the IP address of service1.foo
is 10.10.10.10
.假设 service1.foo 的
service1.foo
地址是10.10.10.10
。 Your headless service and the Endpoint
object would be:您的无头服务和
Endpoint
object 将是:
apiVersion: v1
kind: Service
metadata:
name: bait-svc
spec:
clusterIP: None
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: v1
kind: Endpoints
metadata:
name: bait-svc
subsets:
- addresses:
- ip: 10.10.10.10
ports:
- port: 80
protocol: TCP
and Ingress
resource:和
Ingress
资源:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- secretName: ssl-certs
rules:
- host: site1.training.com
http:
paths:
- path: /
backend:
serviceName: bait-svc
servicePort: 80
So, the Ingress
points to the bait-svc
, and bait-svc
points to service1.foo
.因此,
Ingress
指向bait-svc
, bait-svc
指向service1.foo
。 And you will do this for each service.您将为每项服务执行此操作。
UPDATE更新
I am thinking now, it might not work with GKE Ingress Controller, as on GKE you need a NodePort
type service for the HTTP load balancer to reach the service.我现在在想,它可能不适用于 GKE Ingress Controller,因为在 GKE 上,您需要 HTTP 负载均衡器的
NodePort
类型服务才能访问该服务。 As you can see, in my example I've got nginx Ingress Controller.如您所见,在我的示例中,我有 nginx 入口 Controller。
Independently if it works or not, I would recommend using some other Ingress Controller.不管它是否有效,我建议使用其他一些 Ingress Controller。 It's not that GKE IC is not good.
不是GKE IC不好。 It is quite robust, but almost always you end up hitting some limitation.
它非常强大,但几乎总是你最终会遇到一些限制。 Other ICs are more flexible.
其他 IC 更灵活。
The behavior of conflicting Ingress routes is undefined and implementation dependent.冲突 Ingress 路由的行为是未定义的并且依赖于实现。 In most cases it's just last writer wins.
在大多数情况下,它只是最后一位作家获胜。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.